Flowise CVE-2025-59528 (CVSS 10.0): Critical RCE in AI Agent Builder Actively Exploited; 12,000+ Exposed Instances
Date: 2026-04-17
Tags: malicious-tool, supply-chain
Executive Summary
Attackers are actively exploiting CVE-2025-59528, a maximum-severity remote code execution vulnerability in Flowise, the widely used open-source platform for building custom large language model (LLM) applications, chatbots, and AI agent pipelines. The vulnerability carries a CVSS score of 10.0. VulnCheck researchers detected the first confirmed in-the-wild exploitation activity from a Starlink IP address in early April 2026. Current internet scans identify between 12,000 and 15,000 Flowise instances exposed online.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Flowise CVSS 10.0 RCE In-The-Wild Exploitation |
| Attribution | Unknown (indiscriminate exploitation) (confidence: low) |
| Target | Organizations using Flowise for AI agent and chatbot development; LLM applications with API key storage |
| Vector | Unauthenticated POST request to CustomMCP node with malicious mcpServerConfig parameter |
| Status | active |
| First Observed | 2026-04-08 |
Detailed Findings
The flaw is located in the Flowise CustomMCP node, which allows users to configure connections to external Model Context Protocol (MCP) servers. The node evaluates the mcpServerConfig input parameter using unsafe JavaScript execution without first validating that the content is safe to run. An unauthenticated attacker who sends a crafted request to a vulnerable Flowise instance can execute arbitrary JavaScript and gain full system access, including the ability to read files from the host filesystem, access environment variables and API keys stored in the application, and execute system commands. Flowise instances commonly hold API keys for OpenAI, Anthropic, Azure OpenAI, and other LLM providers, as well as credentials for databases, vector stores, and internal business systems connected through the platform's integrations. An attacker who exploits CVE-2025-59528 on a Flowise instance gains access not just to the host system but to every downstream service whose credentials are configured in the application.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Remote Code Execution | T1190 | Unsafe JavaScript evaluation in CustomMCP node parameter processing |
| Credential Access | T1110 | Environment variables and API keys extracted from compromised Flowise instance |
| Lateral Movement | T1570 | Stolen downstream service credentials enable access to connected systems |
IOCs
Domains
_Flowise vulnerable versions: 3.0.5 and earlier. Update to 3.1.1 or later to remediate._
Full URL Paths
_Flowise vulnerable versions: 3.0.5 and earlier. Update to 3.1.1 or later to remediate._
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
Flowise versions < 3.1.1Detection Recommendations
Patch all Flowise instances to version 3.1.1 immediately. Monitor for POST requests to CustomMCP endpoints with unusual mcpServerConfig values. Alert on JavaScript error patterns in Flowise logs. Scan environment variables and file access logs for exfiltration of API keys. Implement network segmentation to isolate Flowise instances from downstream systems. Monitor outbound connections from Flowise to external systems for data exfiltration.
References
- [Canadian Cyber Security Journal] Flowise CVE-2025-59528 CVSS 10.0: AI Agent Builder Under Active Exploitation With 12,000+ Instances Still Exposed (2026-04-08) — https://cybersecurityjournal.ca/techtalk/83883-flowise-cve-2025-59528-rce-exploitation-ai-agent-builder-2026-04-08/